Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

test-npm-stylenpm

Malicious code in test-npm-style (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-771
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
npm uninstall test-npm-style

What this malware does

The package test-npm-style was found to contain malicious code.

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

The OpenSSF Package Analysis project identified 'test-npm-style' @ 1.0.11 (npm) as malicious.

It is considered malicious because:

  • The package communicates with a domain associated with malicious activity.

Malicious versions

7 flagged
1.0.31.0.51.0.71.0.81.0.91.0.111.0.12

Indicators of compromise (SHA-256)

6767ead328c2fe900330ce901542764c8b67c3924b3f865ac6b40f121ba320f2
25da636f769940c2f80e7b227515d85b7b78d4672f9714c45412aa165d8ce315
66baecfc84826d97135bd9f2dfc1699d1e901f51ec51f0c0c99d5906b0b01842
8264154c82a406e79a853ef0f5bec9aca4583c146343e17fc34c8d35ce2f0cc7
a17ca7272667d521ede60e24f62c223f2d258783d0677594753e2ee4e52eb356
5610c16fa16d9ae86f9ebda3f0ce131f619e830119eb7460a863d5d3d14d733f
2ed6eb7168043549f7eb330af495d3ade3e3edb51d085c7b98b129577fdb3af8
38db992411a56d07cbda15c79d3428dddd769488313604ade2606f11da3e6e4c
d89c00ba3209ce1a4f9ffd6f70034eacdb716fcd4d36b0a7f51bca6ad53b9392

Detection & response playbook

Malicious package

  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for test-npm-style (7 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging test-npm-style across your stack and pipelines.

  2. If you installed it — respond

    Remove test-npm-style from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

  3. Did it already run?

    If test-npm-style was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks test-npm-style before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. test-npm-style on npm has been identified as a malicious package (versions 1.0.3, 1.0.5, 1.0.7, 1.0.8, 1.0.9, 1.0.11, 1.0.12 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GHSA-23p3-w862-22mh

References

Credits

  • Amazon Inspector · finder
  • OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks test-npm-style-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring
test-npm-style (npm) malicious package — MAL-2026-771 | O3 Security